I understand the basics of session renegotiation. (And yes, I am familiar
with
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATIO
N.) Not clear to me: should I be setting
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION?
What I am mostly looking for is some clue as to what would be a good default
for how often to force renegotiation: every megabyte? Every ten megabytes?
Every 100 megabytes?
The data is "one-way" (client to server only) and what I would call "medium
sensitive": typically no national secrets or credit card numbers, but lots
of userids and critical filenames. (Commercial "multi-purpose" application
so a little difficult to predict *exactly* what the data will be.) The data
is also highly repetitive (which I understand makes it easier to crack). It
might also be possible for a rogue to "force" a predictable stream of data
by taking a particular action.
The server would typically be on a private network but might in some cases
be Internet-facing. The server would typically be long-running (weeks
without a restart). I am using OpenSSL 1.0.1c 10 May 2012.
Thanks,
Charles
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
